What the FinCEN Files Say about the State of Financial Crime Compliance

This week saw the International Consortium of Investigative Journalists (ICIJ) expose thousands of confidential documents – including leaked Suspicious Activity Reports (SARs) – in the mainstream media.

Known as the FinCEN Files, the investigation has raised significant concerns as to the scale of money laundering, or otherwise suspicious financial activity, that has been flowing through the international banking system. This is despite the fact that banking is the most heavily regulated industry when it comes to anti-money laundering and countering the financing of terrorism (AML/CFT).

We wanted to provide some initial observations on the FinCEN Files, and what the leaked documents say about the current state of the global financial crime compliance landscape.

Banks have been detecting and reporting huge volumes of Suspicious Activity Reports – but is it enough?

It’s easy to point the finger at banks for any lapse of process or judgement when it comes to financial crime. They are the main gatekeepers of the global financial system and are obligated to detect and report on any suspicious (and potentially suspicious) financial activity flowing through their networks.

While banks are the “usual suspects” when uncovering murky financial activities, the public is generally less aware of the existence of “Financial Intelligence Units” (FIUs) in the fight against financial crime. FIUs are the critical link between the private sector that detects suspicious activity, and the law enforcement authorities that are empowered to investigate and prosecute criminals.

And the banks have been feeding them a plethora of leads and intelligence. Between 2011 and 2017 FinCEN – the United States’ FIU – received more than 12 million SARs, as well as more than two million in 2019 alone.

The volume of Suspicious Activity Reports (SARs) sent to FinCEN demonstrates how critical FIUs are in a country’s national AML/CFT regulatory framework; and the FinCen Files are a drop in the ocean – less than 0.02% of the SARs filed – in the main period they cover.[1]

The growth in the volume of SARs submitted during this period raises questions. Are more reports being filed because there is more financial crime occurring? Are financial institutions becoming more effective at detecting suspicious activity? Or, are they increasingly prone to filing SARs defensively (“just in case”), rather than carrying out a lengthy analysis process?

While the number of SARs has increased, closer attention needs to be paid to their quality. The FinCEN Files suggest financial institutions need to go further to report suspicious activity much more effectively.

The very fact that the leaked documents are SARs suggests that banks have been detecting and taking steps to report those suspicious transactions with some success. It would have been much worse if those transactions had been processed without SARs being filed at all.

However, filing a SAR to tick a compliance box is not sufficient. If the information included is not detailed enough or is submitted a long time after the transaction has taken place, it holds far less value to the authorities. That’s where the process becomes ineffective.

Additionally, for the system to be fully functional, there needs to be follow up action in response to any confirmed illicit behaviour. These actions could include the banks terminating suspect business relationships, and the authorities implementing asset freezes, forfeitures, and prosecutions.

Compliance versus profit: the balance is still far from perfect

The FinCEN Files leak has highlighted imperfections in the financial crime compliance ecosystem. The retrospective filing of SARs is just one example of the “too little too late” nature of current processes for preventing financial crime.

The scandal has revealed other gaps in the system too, such as:

  • Instances of clients that should never have been onboarded in the first place, either because the banks failed to identify beneficial ownership, or because of ineffective or lacking anti-financial crime risk policy, which would have determined that no business should be conducted with them.
  • Clients whose relationships should have been terminated by the bank as a result of ongoing due diligence checks.

Screening controls are crucial here. Adverse media and enforcement screening is a key tool for flagging AML/CFT risks as it enables institutions to detect early on that the person they’re onboarding is involved in fraud, corruption, or another financial crime. This should empower the bank to refrain from opening the account and avoid the situation of needing to detect and report their suspicious transactions.

However, there are interesting conflicts of interest within banks when deciding whether to prioritise their AML/CFT obligations or the prospect of lucrative commission. Clearly, there is more to be done to ensure the full and timely reporting of suspicious activity in the interests of combatting crime, regardless of whether banks will take a hit to their top line.

Can FIUs handle such a deluge of Suspicious Activity Reports?

Although banks form the frontline of controls and have a duty to refrain from facilitating suspicious transactions, it is not their role to investigate and prosecute financial criminals. That is, of course, the role of the law enforcement authorities.

What did FinCEN do with the 12 million SARs filed between 2011 and 2017? To conduct in-depth investigations into each would have required huge investment in time and resources.

According to US Treasury figures, the number of people working at FinCEN has decreased by more than 10% since 2010, while the numbers of SARs has risen. Jamal Al-Hindi, acting director of FinCEN in 2017, testified to the U.S. Congress that the department faced hiring issues.[2]

Similarly to the private sector, the public authorities need to strike a balance between cost and meeting their obligations. Efficiency is therefore not just a problem for financial institutions, but for the regulators themselves, as they strive to provide the necessary intelligence to investigate and prosecute criminals to the judiciary. There are other examples of failings in this area; earlier this year, Germany raided its own FIU over a backlog of suspicious activity reports.

While it’s clear banks have a major role to play, regulators also need to live up to their own expectations.

Financial crime compliance effectiveness has never been more important

There is growing consensus in the industry that the critical shortcomings in the fight against financial crime do not lie in the lack of formal regulations, guidance, standards, or best practices, but in the fact that these compliance processes are excessively formal to the detriment of their effectiveness.

AML/CFT compliance is often described as a “box-ticking exercise” and many critics fear this hinders the end-goal of actually disrupting the activities of financial criminals. Therefore, theoretical policies and procedures, and ambitious laws, fall short in terms of their practical implementation and enforcement.

The Financial Action Task Force (FATF) rates the United States only “partially compliant” for suspicious activity reporting (FATF Recommendation 20). The rating describes “several moderate shortcomings with respect to the scope (non-covered IAs), aggregated thresholds and time allowed to file SARs (30 and 60 calendar days)”.

While FATF also acknowledges that the U.S. is among the most effective AML/CFT regulatory framework globally, it is not yet enough.

FinCEN appears to understand the need for greater effectiveness, and recently launched a consultation to enhance the effectiveness of AML/CFT programs. The Advance Notice of Proposed Rulemaking (ANPRM) suggests making some regulatory amendments under the Bank Secrecy Act, “to provide financial institutions greater flexibility in the allocation of resources and greater alignment of priorities across industry and government, resulting in the enhanced effectiveness and efficiency of [counter]-money laundering programmes.”

The timing of the announcement is no coincidence. FinCEN is clearly aware that the current provisions are falling short of their goal of preventing the flow of illicit funds around the world, as the leak has shown.

A call to arms

There are no winners in scandals such as the FinCEN Files – except, perhaps, for the media who can profit from sensationalist headlines. Neither the banks nor the regulators come off well.

This case can, however, be used as a call to arms for positive change. One such step forward could be stronger public-private partnership, as well as collaboration in other areas, to ensure the right information is shared between institutions.

The FinCEN Files have created an opportunity to shift standards, increase the emphasis placed on skills and practices, and avoid simply “box-ticking”.

Ultimately, it is a chance for everyone across the industry to unite around the critical objective of effectively preventing criminals from benefiting from their ill-gotten gains.

[1] https://www.icij.org/investigations/fincen-files/suspicious-activity-reports-explained/

[2] https://www.fintechfutures.com/2020/09/leaked-fincen-files-show-banks-allowed-2trn-in-suspicious-transactions/